Signtool error The specificed PFX password is not correct

Question

I have a new certificate from DigiCert .pfx file which when I try to use it for signing gives the error "The specified PFX password is not correct" However the password works fine when installing it locally. I have tried without specifying a password without success. The certificate was given to me buy another person who purchased it.

Thanks

Answer 1

I had the same issue but solved it by removing " from the password.

Before: signtool.exe sign /f mycert.pfx /p "password" /v /t http://... "application.exe"

After: signtool.exe sign /f mycert.pfx /p password /v /t http://... application.exe

Answer 2

I had the same issue as well when trying to sign dll files with post-build events in Visual Studio. I found out that the issue was having special characters like percentage sign (%) and comma (,) in the password. I fixed it after setting a new password without those special characters.

I hope this helps

Answer 3

Another possible issue is the encryption of the PFX could be unrecognized, for example a newer SHA256 encrypted cert cannot be used to sign on older SDK's

See related SO answers: signtool - the specified PFX password is not correct from new machine

and

Why I get "The specified PFX password is not correct" when trying to sign application with signtool?

Answer 4

I had the same issue in Azure Devops where I was using a Command Line task:

"C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x86\signtool.exe" sign /f "D:\Cert\CodeSigning.pfx" /p %_pwd123_% /d "" /du "" /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 "D:\Build\Installer.msi"

This resulted in 'The specified PFX password is incorrect'. But I was able to take the actual script command from the failed pipeline, copy it into a cmd prompt on the build machine and run it (without any changes) successfully.

I also tried creating a pipeline variable as I've seen others do and use that in the command like $(pfxPwd). That also seemed to translate perfectly when run but still failed.

The solution was to use the pipeline variable but include it in the command like this instead: %pfxPwd%

"C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x86\signtool.exe" sign /f "D:\Cert\CodeSigning.pfx" /p %pfxPwd% /d "" /du "" /fd sha256 /tr http://timestamp.comodoca.com/?td=sha256 /td sha256 "D:\Build\Installer.msi"

Perhaps this trouble was caused by the password beginning and ending with %. But since this certificate and password came from IT, there were no other options.

Note: I later discovered that if I change the variable type to 'secret' it no longer works.